21 December 2020

Magecart hackers accidentally exposed list of compromised victims


Magecart hackers accidentally exposed list of compromised victims

A web skimming group inadvertently leaked a list of 41 previously hacked online stores. The list was found by Sansec researchers while examining a dropper used to deploy a stealthy Remote Access Trojan designed to provide a long-term access to eCommerce sites to steal customers’ personal and financial information.

The RAT was delivered as a 64bit ELF executable that hides in the server’s process and masquerades as the DNS or SSH server daemon as to not raise suspicions. According to the researchers, the malware stays in sleep mode almost all day, waking up only once in the morning at 7am when it attempts to connect to its command and control server to request instructions.

“The dropper is designed to parse many different Magento deployment setups. Second, the PHP code seems to be written by someone unfamiliar with PHP. It uses shared memory blocks, which is rarely used in PHP but is much more common in C programs,” the researchers said.

Sansec has found several similar RATs on different systems compiled on different Red Hat and Ubuntu Linux systems suggesting involvement of multiple people in this campaign, or that cybercriminals possibly obtained the RAT source code from public sources or bought it on dark web markets.

The researchers said they reached out to owners of compromised online stores to inform them their servers were hijacked.

Back to the list

Latest Posts

Pro-Russian hackers spread disinformation to demoralize Ukraine, divide from allies

Pro-Russian hackers spread disinformation to demoralize Ukraine, divide from allies

Some of the falsehoods targeted Russian domestic audiences, underscoring Russia’s need to sell the war to its own people.
20 May 2022
Twitter steps up efforts to battle misinformation, including misleading posts about war in Ukraine

Twitter steps up efforts to battle misinformation, including misleading posts about war in Ukraine

Twitter will no longer recommend and amplify posts related to the Russian invasion of Ukraine that have been identified as false.
20 May 2022
US won’t prosecute “white hat” hackers under CFAA

US won’t prosecute “white hat” hackers under CFAA

The updated policy now states that the “hacking law” shouldn't be used to target white-hat hackers acting in good faith.
20 May 2022